Contents

Introduction

In a previous article: How to save and restore Registry Keys, I have provided a command-line tool to save/restore registry keys to/from data files. That's why I invite you if you are not familiar with this topic, to read first the previous article to have an idea about the subject. The provided tool in that article suffers from the fact that restoring keys from data files is not secure at all, except if we know exactly that the following two conditions are met:

The data file corresponds exactly to the key we want to restore.

The data file is exactly the same as the one that has been saved, i.e., has not been modified or corrupted.

The present article does not only respect the previous two conditions, but also provides a more general tool that can be used in two modes: in scripts as a command-line tool, and in UI mode as shown in the image above. In order to respond to these two conditions, we have to provide a registry configuration file (don't confuse with the program configuration file as indicated in the sequel, they are not necessarily the same) in which we add during saving stage, two important pieces of information:

The correspondence between the data file location and the registry key path.

A CRC32 value (Cyclic Redundancy Checksum in a 32-bit number) corresponding to the saved data file.

When it's time to restore data, we have to check data integrity, i.e., two things:

Correspondence Key/File: we look for the data file in the configuration file corresponding to the key we want to restore (already done in save stage).

File integrity check: we compute its CRC32, we compare it with the reported CRC32 (in save stage). If the two CRCs are the same, then we proceed to the restore action, otherwise the data file is not restored.

Basically, two Windows APIs have been used in the project: RegSaveKey and RegRestoreKey. There is no way by using these two API functions to ensure that saving and restoring registry keys is secure. It is said in MSDN:

"If RegSaveKey fails part way through its operation, the file will be corrupt, and subsequent calls to RegLoadKey, RegReplaceKey, or RegRestoreKey for the file will fail."

In order to use the tool accompanying this article, the calling process has to use an account in the Administrators group. The tool adds necessary privileges for saving and restoring registry, namely SE_BACKUP_NAME (SeBackupPrivilege) or/and SE_RESTORE_NAME (SeRestorePrivilege) respectively. It will be a good exercise to test for real privileges to achieve these two tasks without being in the Administrators group.

To save a registry key to file.To restore a registry key from file.Take HKCU, HKLM, HKUSERS, or HKCURCFG.Subkey path.Input file in restore mode or output file in save mode.Program configuration file used to secure restoring data. It contains also other information.

ROOT values meaning:

HKCU

HKEY_CURRENT_USER

HKLM

HKEY_LOCAL_MACHINE

HKUSERS

HKEY_USERS

HKCURCFG

HKEY_CURRENT_CONFIG

Remark: The program configuration file CONF_FILE is the file indicating the server name where the registry save/restore configuration file should be located as the value of ServerPath key and the configuration file name as the value of ConfigFile key. Following are two examples of such a file:

[SETTINGS];The Server path is in the same directory as the program RegSR.exeServerPath =.;The config file nameConfigFile =RegConfig.ini

[SETTINGS];The Server path is on the machine whose name MyServer in the share called MyShareServerPath =\\MyServer\MyShare;The config file nameConfigFile =MyRegConfigFile.ini

In Example 1, the program will save key and file data including file CRC32 information in the file .\RegConfig.ini.

In Example 2, the program will save key and file data including file CRC32 information in the file \\MyServer\MyShare\RegConfig.ini.

Note that the program configuration file may be the same as the registry save/restore configuration file. In this case, we have to make the parameter CONFIG_FILE to be the same as ServerPath\ConfigFile.

<A name=#Whencanweusetheprovidedtool><A name=#3>When can we use the provided tool

The provided tool can be used in many contexts such as:

To manage users profiles with respect to the registry.

To configure software with respect to the registry at any time not necessarily during installation process.

To configure hardware as printers, scanners, etc.

<A name=#Contextuse>Context use

If you are running the tool in a a different context than the current user, like as in a service context, you cannot use HKCU (HKEY_CURRENT_USER) since you don't have the registry visibility of the logged-on user. In such a case, you can accede HKCU by the main of its SID under the registry hive HKUSERS (HKEY_USERS) with the condition that the SID value can be obtained. This is an example:

Here, we restore the data file C:\Office.dat to the user whose SID=S-1-5-21-861567501-842925246-854245398-1004 to its key Microsoft\Office. The example above is equivalent to the following line but in the context of the current user:

RegSr /R /H:HKCU /K:Microsoft\Office /P:C:\Office.dat

<A name=#Howcanweusetheprovidedtool>How can we use the provided tool

There is a generic VBScript RegSr.vbs as shown below using the provided tool to save/restore registry keys. You can customize it with respect to your requirements. It generates a log file RegSR.log in the temporary directory containing the exit code of the program RegSR.exe. The returned codes are:

1

Non valid arguments

2

File not found

else

Returned code from RegSR.exe. It can be also 2.

To use the script, you have just to use the same syntax as that of the tool, i.e.,

<A name=#Usingthecode>Using the code

The program is based on a WIN32 project. It contains the following classes:

CRegSRApp (RegSR.h)

Application class. I leave to the reader to extract a class not necessarily based on the application class (CRegSRApp) which can be used in any project to save/restore registry.

CMainDlg (MainDlg.h)

Main dialog class shown in UI mode.

CCRC32 (CRC32.h)

Used to compute files' CRC32.

The trick to be able to call save/restore functions from the dialog implementation is to use the intermediate CWinApp member theApp by which we can call the unique non-constructor application two public functions:

void SetParams(CmdParams &P, int &PNum)

Set parameters from command-line or from main dialog if the program is called in UI mode.

void DoSaveRestore(DWORD &RetErr)

That's the function which really does the registry save or restore job.

I invite the reader to see inside the project for details about these two functions in particular. One private function worth to be explained is the function called to check for data integrity in restore stage, that's where we ensure that the data to restore is the right data and we don't risk shattering the registry.

<A name=#PointsofInterest>Points of Interest

How to provide in one project a command-line and UI tool with minimum work.

How to make saving registry to data file and especially restoring registry from data file very safe, by providing a registry configuration file.

In order to take more advantage of this work, we can easily extract an application-independent class to save/restore registry keys.

<A name=#History>History

First version: August 2004.

License

This article has no explicit license attached to it but may contain usage terms in the article text or the download files themselves. If in doubt please contact the author via the discussion board below.

Comments and Discussions

When I see the words "Very Secure", I think of Security?? What is "Very Secure" about this? Is it the fact that you are using CRC32 (which is good) or the privs "SE_BACKUP_NAME and SE_RESTORE_NAME", because that is what's needed just to do SaveKey and RestoreKey??

Not saying I don't like the article, just wondering where you get the word "Secure" from??

"Very Secure", I would think of:

Using Hashes (registry/files)Encrypting the files/registry dataRegistry Key PrivilegesPasswords for the aboveetc...

In fact, the word used in the article's title "secure" means "safe" (non dangerous) in the sense that there is no risk when the registry keys are restored. The safety aspect is achieved by using CRC32. And it has nothing to do with security as you have noticed.

I don't know if it is possible de modify articles title in CodeProject!

No problem, I am working on an article that will allow a user to set their privs/rights, even run programs under the SYSTEM context. A lot of this can be incorporated into your project to set the privs on files & registry keys which would give it a real security touch. I will send you a copy when it is ready for testing if you would like